Once running, the worm injects code into "explorer.exe", as well as to many other running processes on your computer. Note that the number of processes it is capable of injecting into is dependent on whether the currently logged-on user is running with Administrator privileges or not. Malware often does this in order to hide itself from security software.

Spreads via…

USB flash drives

The worm registers a device notification so that it is notified whenever a USB flash drive is plugged into your computer. The worm then copies itself to the rdrive, using a variable file name, and creates an Autorun configuration file named "autorun.inf" pointing to the malware. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.

Instant messaging/Instant Relay Chat (IRC)

Using backdoor functionality the worm can be ordered by a hacker to spread via instant messaging platforms such as MSN, Pidgin chat, Xchat and mIRC. Messages are sent to all of your contacts. The messages sent, and the frequency at which the messages are sent are configured by the hacker.

Payload

Allows backdoor access and control

Worm:Win32/Dorkbot.A connects to a particular IRC server, joins a channel and waits for commands. In the wild, we have observed the worm using IRC servers on the following domains for this purpose:

lovealiy.com

shuwhyyu.com

syegyege.com

Using this backdoor, a hacker can perform a number of different actions on your computer. As well as being able to spread via instant messaging applications, the worm can also be ordered to perform the following actions:

Get information about your computerThe worm contacts "api.wipmania.com" for your computer's IP and location. It then collects your computer's operating system type, current user privilege level (for example, whether you have administrator rights) and locale

Protect itselfThe worm can be instructed to prevent you from viewing or tampering with its files. This is done by hooking the following functions for all processes inside which it is injected:

CopyFileA/W

DeleteFileA/W

NtEnumerateValueKey

NtQueryDirectoryFile

Change your computer's files; the worm can be instructed to overwrite the following files in order to prevent itself from being detected and removed:

cmd.exe

ipconfig.exe

regedit.exe

regsvr32.exe

rundll32.exe

verclsid.exe

Steal passwords/sensitive data; the worm is capable of intercepting Internet browser communications with various websites and obtaining sensitive information. This is done by hooking various APIs within Firefox and Internet Explorer. The malware can also target FTP credentials

Infect websites; the worm may be ordered to log into a remote FTP server and infect various HTML files by adding an IFrame; this action may help the worm to spread

Block access to security websites; the worm may be ordered to block user access to sites with the following strings in their domain:

avast.

avg.

avira.

bitdefender.

bullguard.

clamav.

comodo.

emsisoft.

eset.

fortinet.

f-secure.

garyshood.

gdatasoftware.

heck.tc

iseclab.

jotti.

kaspersky.

lavasoft.

malwarebytes.

mcafee.

necare.live.

norman.

norton.

novirusthanks

onlinemalwarescanner.

pandasecurity.

precisesecurity.

sophos.

sunbeltsoftware.

symantec

threatexpert.

trendmicro.

virscan.

virus.

virusbuster.nprotect.

viruschief.

virustotal.

webroot.

Using the backdoor, a hacker can also order the worm to:

Download and run files, including updates

Visit specified URLs

Perform DDoS (Distributed Denial of Service) attacks using SYN or UDP floods against a specified target